Yes, my statement is correct. You claiming otherwise doesn't change that fact. If you want to effectively challenge it, provide proof.
No, you need to start providing proof for your claims instead of consistently requiring proof from others when they tell you are wrong. Even if the proof has been given (start reading the document that someone links to for a change!).
Also, this is standard security practice for any operating system. This is NOT a Windows thought whatsoever. If you read any UNIX/Linux book that talks about system administration you'll find this sort of advise (especially in combination with tools like sudo).
Conceiving some imagined flaw is quite different from providing factual evidence that such a flaw currently exists. Your hypothesis is not a threat until it becomes reality, which it hasn't.
The same applies for your reasoning. You are also simply claiming something is the truth without providing any evidence whatsoever.
You also seriously need to up your knowledge about security measures in a UNIX environment such as OS X and security attacks in general. Running malicious software is only part of the deal. If the account is able to read and write in certain areas without needing to provide a password then you have a problem. There are certain areas where an ordinary user is not allowed but any admin user will be granted access without providing any password. Because the standard isn't allowed you need to provide an admin account who can access it. That is an additional layer of security which is what we are talking about. So no, your statement is definitely not true at all.
Having access to a system is so much more than just being able to run an application. That is why we have user accounts, groups, ACL, etc. in the first place. Security isn't just one thing, it is an entire set of measurements. The entire point of having security is looking at what you need and making decisions based on that.
Check the various hack attacks done on webservers. There are many that used the fact that they could write to other places without needing passwords or specific accounts. It is like going up the stairs: step by step.
If an admin does something that requires admin priviledges, an admin password is requested.
If a user does something that requires admin priviledges, an admin password is requested.
How is one scenario more secure than the other?
Difference in rights that do not require the password of an admin user. The admin user is not just an ordinary user with the ability to use something like sudo. The admin user is an elevated user account with the ability to use something like sudo. This means that it has a bit more rights by default, without needing a password, than an ordinary user.
The problem in this case is that OS X is aimed at single user use. It doesn't really count on having more than 1 user (which is what Windows does as well). It does support more than 1 and it has really good support for that too but it is not what it is expecting. There are more things in OS X that give this kind of setup away. Take a look at the ACL on /Users. You can look in others users homedirs. In some countries this is a breach of privacy law. Obviously it doesn't go as far for a home computer. The difference in security doesn't stop with the ACL btw.
One thing you really should do is check the security fixes Apple lists on:
https://support.apple.com/kb/HT1222 Dig through them and you'll see some bugs that are aimed at admin users. A very recent one is the sudo password caching bug: an ordinary user isn't allowed to use sudo thus you need to su into an admin account and then use sudo; alternatively you can use sudo -k instead to not cache the password but you need to remember this, forgetting it 1 time is all it takes. I urge anyone to make his/her own risk assessment and decide what measures they need/want.
Btw deleting something from say /Applications can also be considered as malicious. Something is malicious if it does something willingly and knowingly that will break something (not being able to run a certain app is exactly that).
Lastly: running as ordinary user is just a useful thing to do because it will ask you for the username/password of an admin user when some system change will need to be made. It is more like a reminder for the user and can be used to prevent something like accidentally deleting an application.
And the only real-world threat that exists outside of theories, hypothesis and hacking competitions is malware. There simply is no current hacking threat for the average user.
There are no CERT/CSIRT's that will support your claim because they don't stick their heads in the sand. They know this happens and they have a lot of evidence. This IS a real-world threat. What you are doing here is denying the existence of botnets, malware scanners, etc. Botnets need machines, they don't care what they are. Same with something like the flu. The flu doesn't care who you are, how much money you have, where you live, etc. That's why we have flu shots.